ChatGPT E0_DOC80_Core_Final_A_Grade_Review.md
Memory Rebuild Docs/Flattening/Reviews/Stage 6 Reviews/Stage 6 E0 Red Teaming/ChatGPT E0_DOC80_Core_Final_A_Grade_Review.md
ELNOR REPO READER TEXT MIRROR
Original path: Memory Rebuild Docs/Flattening/Reviews/Stage 6 Reviews/Stage 6 E0 Red Teaming/ChatGPT E0_DOC80_Core_Final_A_Grade_Review.md
Source repo: /Users/OpenClaw1/Elnor/Elnor Specs
Git branch: main
Git commit: dbaa25962edc11ab30e8d4ca1715f9ae5bf77331
Generated: 2026-06-09T01:23:58.539Z
---
# E0 DOC80 Core Charter Draft — Final A-Grade Red-Team Review and Scope-Correct Remediation Plan
**Target artifact:** `Memory Rebuild Docs/Stage_6_Charters/E0_DOC80_Core/Charter_Draft.md`
**Review purpose:** Consolidate the full multi-pass red-team review into one final, scope-correct remediation document.
**Final review status:** This document consolidates the earlier broad review, second-pass addendum, third-pass hardening review, audit of omissions, and later adjudication of the external ChatGPT critique. It incorporates the adjudication’s verified findings; it does not replace the source evidence for those verified claims.
**Operating rule:** Harvest every real bug/gap, but cut any proposed schema body that E0 does not own or whose design belongs to Stage 7, Stage 8, Stage 9, DOC11, DOC24, DOC25, DOC81-DOC87, or a later member charter.
---
## Source basis and evidence trail
This review is a remediation document, not the primary source pack. For implementation work, each patch should be re-cited against the operative repo artifacts. The source-basis blocks below preserve what the E0 revision author must verify and cite during the actual patch.
| Finding area | Source basis to verify in repo | Why it matters |
|---|---|---|
| `ContextProductKind` | ABC R0.2 §9.2, ABC R0.2 §9.3, SM-060, current E0 ContextProduct section | ABC §9.2 enumerates 17 values while SM-060 says 14; E0 cannot leave DOC84/E7/E8 binding to an illustrative enum. |
| `FinalPromptTruthRef` | Skeletal DOC80 §18 golden scenario, DOC11/OpenClaw final prompt truth, DOC24/BDSM final-prompt manifest / utility-attribution material, current `ContextPacketProof` section | E0 must distinguish packet assembly from executed-prompt survival. |
| `MemoryFlowCertificate` | ADQ-207, current MFC section, proof/lint tables | Six privileged flows need structurally enforced proof refs, not optional comments. |
| Source revocation cascade | Stage 5R2 source-revocation cascade finding, Stage 5R workflow story, current recovery/replay/monotonicity sections | Revocation is a five-plane cascade, not a local DOC82 event. |
| `SemanticProjectionContract` | Owner Map, Skeletal projection split, current E0 object classification/projection mentions | Projection must never own truth and needs an E0 umbrella contract. |
| ADQ normalization | Stage 6 Charter Input Index, E0 Input Deck, Opening Brief, ADQ Queue, draft §17 | E0 cannot close with ADQ-207/312/313 appearing inconsistently across source artifacts. |
| Source-pack drift | Owner Map, Retired Names, Supersession Matrix, ADQ Queue, E0 prompt path, RUN_STATE, E0 README / Opening Brief | A foundation charter cannot cite a contradictory source pack. |
| OP-A closure | OP-A maintenance discipline and SPEC_STATE / ADDENDA_STATE tracker rules | Red-team closure must update standing obligation trackers so the next session does not lose decisions. |
When this review says “source conflict” or “verified drift,” it means the revision should include exact repo citations in the patched E0 review packet. This document preserves the required checks and final recommendations.
---
## 0. Executive verdict
**Verdict: `E0_NEEDS_REVISION_BEFORE_RED_TEAM_CLOSES`.**
This is not an architecture restart. The DOC80-family decomposition is directionally sound, and E0 covers most Opening Brief targets at a high level. But E0 is the foundation for the memory system. It cannot be ratified while it still contains source conflicts, under-specified proof semantics, missing cross-plane invariants, ambiguous ownership boundaries, and source-pack drift.
Final settled severity:
```text
Moderate surgical hardening, with one P0 downstream-blocking source conflict.
Not a global Stage 6 failure.
Not a reason to absorb Stage 7/8/9 into E0.
Not safe to close red-team review until patched.
Not safe for E7/E8 to bind to ContextProduct yet.
```
The most important correction to my early review is scope discipline. Several earlier recommendations were correct as gap detection but too expansive as E0-owned schema work. The final standard is:
> For every proposed addition: extract the underlying gap, then ask whether E0 owns the object and whether the design is settled. If yes, E0 may carry a full contract body. If not, E0 should carry only the name, invariant, owner assignment, lint names, and downstream handoff.
That rule preserves the real findings while avoiding E0 becoming the whole memory system.
---
## 1. A-grade acceptance standard for E0
E0 is not an ordinary slice charter. It defines the core grammar for the DOC80 memory family. An A-grade E0 must make downstream misuse difficult.
An A-grade E0 should prevent, or make lint-detectable:
```text
- inventing a local reason-code system;
- using a projection as canonical truth;
- learning from content that did not reach the final executed prompt;
- rendering removed, blocked, stale, or ineligible membership;
- treating source revocation as merely a DOC82 issue;
- letting DOC8 re-enter as runtime owner without an explicit legacy-reserved status;
- adding DOC25 as ReasonCode producer without source or architect decision;
- turning ContextProduct into a phantom enum;
- confusing DOC80 registry ownership with DOC84 assembly ownership;
- treating stale / suppressed / reference-only / archived / retired as erased;
- writing Stage 7 schemas without schema-version and migration conventions;
- treating proof artifacts as transient when they gate durable effects;
- closing acceptance criteria without negative fixtures;
- hiding degradation or background-yield behavior behind non-operative booleans.
```
E0 must provide:
```text
1. Preservation proof for Stage 5R / 5R2 / 5R2b decisions.
2. Core registry mechanics and owner assignments.
3. Proof-spine invariants and settled E0-owned proof contracts.
4. Cross-plane invariants for revocation, projection, final-prompt truth, replay, and EC sole-writer behavior.
5. Named lint families and fixture handoffs, without implementing Stage 8/9 systems.
6. Source-pack drift corrections.
7. Clear deferrals for Stage 7 schema bodies and member-charter-owned payloads.
8. Closing tracker obligations: OP-A, SPEC_STATE, and ADDENDA_STATE where applicable.
```
---
## 2. Scope discipline: what belongs in E0 vs later stages
### 2.1 Full or near-full bodies that should land in E0
These are E0-owned and design-settled enough for operative E0 contracts:
```text
- MemoryFlowCertificate discriminated union.
- ReasonCode namespace and registry mechanics.
- ContextProduct registry-entry grammar, not payload/assembly bodies.
- SemanticProjectionContract umbrella and axis-owner table.
- Proof retention classes and proof-gated-effect retention rule.
- ExternalDependencyRecord minimum reproducible pinning fields.
- ECSeamContract explicit responsibility list.
- SourceRevocationCascadeContract as a cross-plane invariant/contract.
- WarrantDegradationTriggerRegistry entry mechanics if E0 owns the trigger registry.
- MemoryCoordinationTrace correlation fields needed for turn/session stitching.
```
### 2.2 Name + invariant + lint names only
These are real findings, but E0 should not carry full field-level bodies:
```text
- FinalPromptTruthRef: DOC11/OpenClaw owns runtime truth body.
- PromptShellExposure: E0 may define reference/invariant; DOC84/DOC11 own execution bodies.
- RenderSafetyProof executed body: DOC84 owns execution; E0 owns contract requirements.
- DomainProfile policy-axis values: DOC81 owns exact policy-axis semantics; E0 owns registry + fallback rule.
- Lifecycle/erasure state machine: do not reopen DOC88/lifecycle engine; E0 only prevents vocabulary collapse.
- MemoryMutationEnvelope full body: Stage 7 owns body; E0 names required event-sourcing vocabulary.
- MemoryProvenanceGraph full body: Stage 7 owns body; E0 names node/edge/proof/redaction requirements.
- Lint registry implementation: Stage 9.
- Fixture manifest implementation: Stage 8.
- JSON Schema bodies for every contract: Stage 7.
- Full schema migration subsystem: Stage 7; E0 only sets schema_version + migration-plan rule.
```
### 2.3 Things explicitly cut from the earlier broad review
Do **not** add these as E0-owned full bodies:
```text
- Full FinalPromptTruthRef field schema.
- Full LintRegistry meta-schema.
- Full FixtureManifest meta-schema.
- Full MemorySchemaMigrationPlan schema.
- Full lifecycle/erasure state machine with may_render / may_export / may_delete flags.
- DOC81 policy-axis enum bodies inside DomainProfile.
- DOC84 RenderSafetyProof execution body.
- Full MemoryMutationEnvelope event body.
- Full MemoryProvenanceGraph graph body.
```
The gaps remain real. The full bodies land elsewhere.
---
## 3. Patch priority order
### Tier 0 — Blocks downstream binding
1. **Resolve `ContextProductKind` 17-vs-14 source conflict.** Adopt ABC §9.2’s 17 values unless a later explicit architect decision proves a 14-kind compression. Patch SM-060 and replace the E0 draft enum.
2. **Name `FinalPromptTruthRef` and add no-learning-without-final-prompt-truth invariant.** Do not write the full DOC11 body in E0.
3. **Make `MemoryFlowCertificate` a discriminated union.** MFC is E0-owned and settled; optional refs are not sufficient.
### Tier 1 — Must close before red-team closure
4. **Add §17A preservation matrix.** Assurance artifact proving Stage 5R / 5R2 / 5R2b items land, defer, or exit scope.
5. **Add `CascadingSourceInvalidation` / `SourceRevocationCascadeContract`.** Five-plane invariant + lints.
6. **Add `SemanticProjectionContract`.** E0 umbrella + axis-owner table; downstream bodies stay downstream.
7. **Add Stage 5R2b lint preservation names.** Adapter convergence, CU divergence, bitemporal axes, monotonicity, matrix coverage.
8. **Add proof retention classes.** Proofs that gate durable effects are durable audit, canonical/append-only, and not recomputed.
9. **Add source-pack drift sweep and ADQ normalization.** ContextProduct conflict, ADQ-207/312/313 consistency, ADQ-313 omission, CognitiveDiff residue, DOC8/DOC25 ReasonCode producer ambiguity, stale prompt path, state-file drift.
### Tier 2 — Hardening for A-grade foundation
10. ReasonCode namespace mechanics + DOC8 legacy-reserved decision + DOC25 producer-source decision.
11. DomainProfile per-axis conservative fallback rule, with DOC81 owning axis semantics.
12. MemoryContextPlan per-product request/disposition grammar.
13. ContextProductDecision / ContextProductInstanceId named hook.
14. PromptShellExposure / PromptShellLearningContract reference hooks.
15. WarrantDegradationTriggerRegistry payload/lifecycle mechanics.
16. RenderSafetyCheckRegistry cannot remain provisional if mandatory.
17. ExternalDependencyRecord reproducible pinning fields.
18. ECSeam explicit read-model refresh + no non-EC durable writer.
19. Schema-version convention and breaking-change migration-plan rule.
20. MemoryCoordinationTrace turn/session correlation.
21. Health/quota/compute-budget/background-yield operational hardening.
22. Embedding provenance generation/comparability semantics.
23. Object classification expansion and ABC §21 placement table.
24. §18 golden scenario + fixture taxonomy handoff.
25. F-struct #3/#4 shared-runtime-vocabulary architect decision.
26. Lightweight lint/fixture naming convention.
27. OP-A / SPEC_STATE / ADDENDA_STATE closure checklist.
28. T1–T20 coverage appendix.
---
# 4. Detailed findings and recommendations
---
## F1 — BUG / P0: `ContextProductKind` source conflict must be resolved now
### Source basis
Verify against ABC R0.2 §9.2, ABC R0.2 §9.3, SM-060, and the current E0 `Charter_Draft.md` ContextProduct section. The adjudicated issue is not merely that the draft enum is illustrative; it is that a senior source enumerates 17 values while SM-060 says 14 and the draft names match neither set in full.
### Finding
The E0 draft’s `ContextProductKind` list is not ratifiable. The draft treats a 14-kind registry as fixed, but the senior ABC R0.2 §9.2 source enumerates 17 concrete values. SM-060 says 14 but does not document a merge/compression rationale. The draft’s 14 illustrative names match neither source in full.
This is the strongest verified catch in the entire review. It is not a Stage 7 cleanup item because DOC84/E7+E8 consumes E0’s `ContextProduct`, `PromptShellVariant`, and `MemoryContextPlan` as preconditions.
### Required patch
```md
### E0-PATCH-CTXPRODUCT-01 — Resolve ContextProductKind source conflict
Conflict:
- ABC R0.2 §9.2 enumerates 17 ContextProductKind values.
- SM-060 says the DOC80 registry has 14 kinds but does not document a 17→14 merge.
- The E0 draft currently uses 14 illustrative names that match neither source.
Default recommendation:
Adopt ABC R0.2 §9.2’s 17 values as canonical unless an explicit later architect decision proves a 14-kind compression.
Blocking rule:
DOC84/E7/E8 may not bind to ContextProductKind until this decision closes.
```
### Recommended canonical enum
```ts
type ContextProductKind =
| 'assertion_packet'
| 'direct_memory_item'
| 'topic_notice'
| 'topic_slice'
| 'library_notice'
| 'library_source_slice'
| 'cu_source_bound_synthesis'
| 'recent_work_orientation'
| 'issue_frame_orientation'
| 'directive_block'
| 'procedure_block'
| 'warning_constraint'
| 'null_result_notice'
| 'conflict_notice'
| 'search_affordance'
| 'reference_only_notice'
| 'blocked_scope_notice';
```
### Registry-entry shape
E0 owns the registry grammar. DOC84 owns assembly behavior. Product payload schema ownership may vary by product kind.
```ts
type OwnerDocId =
| 'DOC11'
| 'DOC24'
| 'DOC25'
| 'DOC80'
| 'DOC81'
| 'DOC82'
| 'DOC83'
| 'DOC84'
| 'DOC85'
| 'DOC86'
| 'DOC87'
| 'EC';
type RoleBand =
| 'primary_answer_support'
| 'orientation'
| 'constraint'
| 'warning'
| 'reference'
| 'affordance'
| 'suppression_notice';
type UseWarrant =
| 'direct_evidence'
| 'derived_evidence'
| 'orientation_only'
| 'reference_only'
| 'blocked';
type ProofRequirement =
| 'context_packet_proof'
| 'render_safety_proof'
| 'memory_flow_certificate'
| 'final_prompt_truth_ref'
| 'source_binding_ref'
| 'policy_stamp_ref';
interface ContextProductRegistryEntry<K extends ContextProductKind = ContextProductKind> {
kind: K;
registry_owner: 'DOC80';
payload_schema_owner: OwnerDocId;
assembly_contract_owner: 'DOC84';
packet_executor: 'DOC24';
role_band: RoleBand;
allowed_warrants: UseWarrant[];
required_proofs: ProofRequirement[];
default_budget_band: 'xs' | 's' | 'm' | 'l';
degrades_to?: ContextProductKind;
candidate_injectable: boolean;
learning_target: 'allowed' | 'disallowed' | 'manifest_only';
final_prompt_instance_spine_required: boolean;
}
```
### Required NAMED-only instance spine
E0 should also name the product-decision / product-instance spine, without owning DOC84’s field-level decision body.
```md
### ContextProductDecision / ContextProductInstanceId — NAMED-only E0 hook
Owner:
- Decision/outcome body: DOC84
- Runtime packet/final-prompt manifestation: DOC24 / DOC11
- E0 role: require every assembled, degraded, blocked, suppressed, or not-found product request to have a traceable decision or equivalent DOC84-owned outcome record.
Invariant:
`context_product_instance_id` must survive DOC24 packet assembly, DOC11 final-prompt truth, and DOC85 learning attribution whenever a product contributes to render or learning.
```
Required handoff rule:
```text
Every MemoryContextProductRequest must be linkable to either a ContextProductDecision or a downstream DOC84-owned equivalent that records assembled / degraded / blocked / suppressed_manifest_only / not_found.
```
### Required lints
```text
context_product.kind_not_in_registry
context_product.payload_schema_owner_missing
context_product.assembly_contract_owned_by_doc80
context_product.instance_id_not_preserved_to_final_prompt
context_product.learning_attribution_without_final_prompt_truth
context_product.registry_count_conflicts_with_source
context_product.decision_missing_for_request
context_product.instance_id_missing
context_product.instance_id_not_in_final_prompt_truth
context_product.instance_id_missing_from_learning_attribution
```
### Final settled recommendation
Patch this first. It is the true P0 source conflict that blocks E7/E8 from binding to E0.
---
## F2 — BUG / high: final-prompt truth must be named and proof-gated
### Source basis
Verify against Skeletal DOC80 §18 golden scenario, DOC11/OpenClaw final prompt truth sources, DOC24/BDSM final-prompt manifest / utility-attribution material, and the current `ContextPacketProof` section.
### Finding
`ContextPacketProof` proves packet assembly. It does not prove which spans actually reached the executed final prompt. Without a final-prompt truth hook, DOC85 can attribute learning/utility to content that was planned, selected, or assembled, but then trimmed, suppressed, or never injected.
This is a real bug, but a full `FinalPromptTruthRef` schema in E0 would be over-scoped. Runtime prompt truth belongs to DOC11/OpenClaw. E0 should name the hook and bind memory-family invariants to it.
### Required E0 addition
```md
### FinalPromptTruthRef — NAMED-only E0 contract hook
Owner:
- Runtime truth body: DOC11 / OpenClaw
- E0 role: name the proof dependency and bind memory-family invariants to it
Invariant:
No learning attribution, utility credit, prompt-shell exposure learning, or context-product
learning may attach unless the cited context/prompt-shell span survived into the executed final
prompt under a FinalPromptTruthRef.
E0 does not define the full field-level body. Stage 7 / DOC11 defines the executable schema.
```
### Required Stage 7 / DOC11 handoff requirements
E0 should require the downstream body to account for:
```text
- final prompt injection manifest reference;
- final prompt text hash;
- rendered span refs;
- trimmed span refs;
- suppressed span refs;
- context_product_instance_id spine;
- prompt_shell_variant refs;
- DOC11 finalizer reference;
- runtime session / model execution reference.
```
### Required lints
```text
learning.utility_credit_without_final_prompt_truth
learning.utility_credit_for_trimmed_span
learning.utility_credit_for_suppressed_span
render.context_product_instance_id_lost_before_final_prompt
prompt_shell.learning_without_final_prompt_truth
```
### Render/export scope note
Do not overstate this as “all render-like activity requires final-prompt truth.” Final-prompt truth is required for executed prompt render and for any learning/utility attribution. Preview renders or export-only render paths may use other proof targets, but must not produce learning credit unless final-prompt survival is proven.
### Final settled recommendation
Do not write the full schema body in E0. Add the name, owner, invariant, lint names, and Stage 7/DOC11 handoff.
---
## F3 — BUG / high: `MemoryFlowCertificate` must be a discriminated union
### Source basis
Verify against ADQ-207, the current draft MFC section, and the proof/lint tables.
### Finding
`MemoryFlowCertificate` is E0-owned and design-settled enough for a full body. The draft correctly includes the six privileged flow kinds: durable write, render, export, carryover, delegation, and learning attribution. But it uses one interface with optional references and comments. That allows invalid certificates.
A render MFC with no `ContextPacketProof`, no `RenderSafetyProof`, and no `FinalPromptTruthRef` for executed prompt render should be structurally impossible.
### Required contract
```ts
type Brand<T, B extends string> = T & { readonly brand: B };
type MemoryFlowCertificateId = Brand<string, 'MemoryFlowCertificateId'>;
type MemoryCoordinationTraceRef = Brand<string, 'MemoryCoordinationTraceRef'>;
type PolicyGenerationId = Brand<string, 'PolicyGenerationId'>;
type EffectiveMemoryPolicyRef = Brand<string, 'EffectiveMemoryPolicyRef'>;
type ReasonCodeId = Brand<string, 'ReasonCodeId'>;
type ContextPacketProofRef = Brand<string, 'ContextPacketProofRef'>;
type RenderSafetyProofRef = Brand<string, 'RenderSafetyProofRef'>;
type FinalPromptTruthRefId = Brand<string, 'FinalPromptTruthRefId'>;
type MemoryMutationEnvelopeRef = Brand<string, 'MemoryMutationEnvelopeRef'>;
type LearningSignalRef = Brand<string, 'LearningSignalRef'>;
type ExportManifestRef = Brand<string, 'ExportManifestRef'>;
type DelegationPayloadRef = Brand<string, 'DelegationPayloadRef'>;
type CarryoverCapsuleRef = Brand<string, 'CarryoverCapsuleRef'>;
type MemoryFlowKind =
| 'durable_write'
| 'render'
| 'export'
| 'carryover'
| 'delegation'
| 'learning_attribution';
interface BaseMemoryFlowCertificate {
certificate_id: MemoryFlowCertificateId;
schema_owner: 'DOC80';
issued_by: 'EC';
coordination_trace_ref: MemoryCoordinationTraceRef;
policy_generation_id: PolicyGenerationId;
effective_policy_ref: EffectiveMemoryPolicyRef;
created_at: string; // RFC3339 UTC
}
interface WithheldMemoryFlowCertificate extends BaseMemoryFlowCertificate {
outcome: 'withheld';
flow_kind: MemoryFlowKind;
withheld_reason_code: ReasonCodeId;
}
interface DurableWriteMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'durable_write';
mutation_envelope_ref: MemoryMutationEnvelopeRef;
}
interface RenderMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'render';
render_target: 'final_prompt' | 'preview' | 'export_render';
context_packet_proof_ref: ContextPacketProofRef;
render_safety_proof_ref: RenderSafetyProofRef;
final_prompt_truth_ref?: FinalPromptTruthRefId; // required when render_target = 'final_prompt'
}
interface ExportMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'export';
context_packet_proof_ref: ContextPacketProofRef;
export_manifest_ref: ExportManifestRef;
final_prompt_truth_ref?: FinalPromptTruthRefId; // required if export includes executed-prompt-rendered content
}
interface CarryoverMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'carryover';
context_packet_proof_ref: ContextPacketProofRef;
carryover_capsule_ref: CarryoverCapsuleRef;
}
interface DelegationMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'delegation';
context_packet_proof_ref: ContextPacketProofRef;
delegation_payload_ref: DelegationPayloadRef;
}
interface LearningAttributionMFC extends BaseMemoryFlowCertificate {
outcome: 'issued';
flow_kind: 'learning_attribution';
context_packet_proof_ref: ContextPacketProofRef;
final_prompt_truth_ref: FinalPromptTruthRefId;
learning_signal_ref: LearningSignalRef;
}
type MemoryFlowCertificate =
| WithheldMemoryFlowCertificate
| DurableWriteMFC
| RenderMFC
| ExportMFC
| CarryoverMFC
| DelegationMFC
| LearningAttributionMFC;
```
### Required lints
```text
proof.durable_write_without_memory_flow_certificate
proof.render_without_memory_flow_certificate
proof.export_without_memory_flow_certificate
proof.carryover_without_memory_flow_certificate
proof.delegation_without_memory_flow_certificate
proof.learning_attribution_without_memory_flow_certificate
proof.withheld_certificate_missing_reason_code
proof.flow_kind_required_ref_missing
proof.final_prompt_render_missing_final_prompt_truth
proof.export_prompt_render_missing_final_prompt_truth
```
### Final settled recommendation
This should land as a full E0 contract. Unlike `FinalPromptTruthRef`, MFC is E0-owned and settled.
---
## F4 — GAP / high: add §17A preservation matrix as an assurance artifact
### Finding
The draft covers many high-level targets, but it does not provide a systematic preservation proof for Stage 5R / 5R2 / 5R2b decisions. The matrix is needed not because every must-fix was dropped, but because specific mechanisms, lint names, and downstream gates can otherwise be lost.
### Required section
```md
## §17A. Stage 5R / 5R2 / 5R2b Preservation Matrix
This section is the authoritative preservation proof for E0. Every Stage 5R, Stage 5R2,
and Stage 5R2b synthesis decision that touches DOC80 core must land here with a disposition.
| Source Item ID | Source Artifact | Source Section / Lines | Required Decision / Invariant / Object | E0 Disposition | Landing Section | Required Lints | Required Fixtures / Stage 8 Handoff | Downstream Gate | Blocking Status | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
```
Allowed dispositions:
```text
- E0-owned
- E0-names-only / Stage 7 schema body
- Downstream charter
- Stage 8 fixture
- Stage 9 lint
- External-owner amendment
- Out of scope for E0
```
### Minimum rows
```text
- ContextProductKind registry conflict.
- FinalPromptTruthRef invariant.
- CascadingSourceInvalidation five-plane cascade.
- SemanticProjectionContract split.
- MemoryFlowCertificate required flow kinds.
- Stage 5R2b lint families.
- ECSeamContract responsibilities.
- DOC15 context-budget seam.
- DOC26 citation validation seam.
- SourceBoundSynthesisAdapter convergence.
- DOC85 two-phase sequencing.
- Library ADQ-202 gating.
- TopicIdentityContract stub before TopicCollectionDirective.
- Golden scenario phase ordering.
- F-struct #3/#4 shared-runtime-vocabulary decision.
```
### Final settled recommendation
Add the matrix, but frame it as assurance and traceability, not as proof of total systemic failure.
---
## F5 — BUG / high: source revocation cascade must be first-class
### Source basis
Verify against the Stage 5R2 source-revocation cascade finding, Stage 5R workflow story, and current E0 recovery/replay/monotonicity sections.
### Finding
Source revocation is cross-plane. It affects DOC82 support edges, DOC87 memberships, DOC84 delivery/carryover artifacts, DOC85 learning signals, and DOC86 Inspector surfaces. Generic recovery/replay language is not enough.
### Required contract
```ts
type SourceRef = Brand<string, 'SourceRef'>;
type EvidenceSupportEdgeRef = Brand<string, 'EvidenceSupportEdgeRef'>;
type MemoryMembershipEdgeRef = Brand<string, 'MemoryMembershipEdgeRef'>;
type ContentReference = Brand<string, 'ContentReference'>;
type UserContextSurfaceRef = Brand<string, 'UserContextSurfaceRef'>;
type ECReceiptRef = Brand<string, 'ECReceiptRef'>;
interface SourceRevocationCascadeContract {
contract_id: 'doc80.source_revocation_cascade';
schema_owner: 'DOC80';
source_ref: SourceRef;
revocation_event_ref: MemoryMutationEnvelopeRef;
affected_planes: {
doc82_support_edges: EvidenceSupportEdgeRef[];
doc87_memberships: MemoryMembershipEdgeRef[];
doc84_delivery_artifacts: ContentReference[];
doc85_learning_signals: LearningSignalRef[];
doc86_surfaces: UserContextSurfaceRef[];
};
required_outcomes: {
support_edges: 'invalidated' | 'recomputed' | 'verify_required';
memberships: 'restamped' | 'removed' | 'hidden';
delivery: 'invalidated';
learning: 'ineligible_for_future_utility';
inspector: 'safe_labeled' | 'suppressed';
};
ec_receipt_refs: ECReceiptRef[];
reason_codes: ReasonCodeId[];
}
```
### Required lints
```text
revocation.support_edge_survives_revoked_source
revocation.membership_survives_revoked_source_without_restamp
revocation.carryover_capsule_survives_revoked_source
revocation.learning_credit_after_revocation
revocation.inspector_leaks_revoked_source
revocation.published_view_not_invalidated_after_revocation
```
### Important correction: revocation monotonicity must respect support polarity
A blanket lint like `monotonicity.revocation_raised_eligibility` is logically wrong. Revoking a source that **supports** an assertion can lower warrant. Revoking a source that **contradicts** an assertion can raise net warrant. The invariant is not “revocation may never raise eligibility”; the invariant is “revocation must trigger recomputation and trace the warrant change.”
Replace any blanket monotonicity lint with:
```text
revocation.supporting_source_removed_without_recompute
revocation.contrary_source_removed_without_recompute
revocation.net_warrant_changed_without_recompute_trace
```
### Final settled recommendation
Add the cascade contract and correct the monotonicity logic. This is one of the most important A-grade hardening fixes.
---
## F6 — BUG / high: `SemanticProjectionContract` is missing as an E0-owned umbrella
### Finding
Projection semantics are cross-cutting. Projection must never own truth. Each projection must carry source refs, generation ID, invalidation policy, projection owner, and proof/read-model refs. The E0 draft names this area but does not define an operative umbrella contract.
### Required contract
```ts
type SemanticProjectionAxis =
| 'delivery'
| 'ui'
| 'organization'
| 'knowledge';
type ProjectionSchemaName =
| 'DeliveryProjection'
| 'UIProjection'
| 'OrganizationProjection'
| 'KnowledgeProjection';
interface SemanticProjectionContract {
contract_id: 'doc80.semantic_projection_contract';
schema_owner: 'DOC80';
projection_may_own_truth: false;
required_fields: [
'source_refs',
'generation_id',
'invalidation_policy_ref',
'projection_owner',
'proof_or_read_model_refs'
];
allowed_axes: SemanticProjectionAxis[];
}
interface SemanticProjectionAxisRegistration {
axis: SemanticProjectionAxis;
concrete_projection_schema: ProjectionSchemaName;
schema_owner: 'DOC82' | 'DOC84' | 'DOC86' | 'DOC87';
canonical_truth_owner: OwnerDocId;
invalidation_policy_owner: OwnerDocId;
}
```
### Required lints
```text
projection.used_as_canonical_truth
projection.owner_missing
projection.missing_invalidation_policy
projection.missing_source_refs
projection.generation_id_missing
projection.proof_or_read_model_refs_missing
```
### Final settled recommendation
Keep the umbrella + axis-owner table in E0. Do not define member projection bodies in E0.
---
## F7 — BUG / high: proof retention classes must be defined
### Finding
A proof that gates a durable effect cannot be treated as a rebuildable, transient, or decorative artifact. Proof retention determines replay and audit correctness.
### Required contract
```ts
type ProofRetentionClass =
| 'durable_audit_required'
| 'durable_if_effect_committed'
| 'transient_allowed_only_if_effect_not_committed'
| 'derived_rebuildable';
interface ProofArtifactRetentionRule {
artifact_type: string;
retention_class: ProofRetentionClass;
retained_by: 'EC' | 'DOC11' | 'DOC84' | 'DOC85';
replay_required: boolean;
audit_required: boolean;
}
```
### Required rule
```text
Any proof artifact that gates a durable write, render, export, carryover, delegation,
or learning attribution must be retained as durable_audit_required or referenced by
an originating durable audit envelope.
```
### Required lints
```text
proof.gated_effect_without_retained_proof
proof.retention_class_missing
proof.transient_proof_used_for_durable_effect
proof.replay_required_artifact_missing_from_audit
```
### Final settled recommendation
This is E0-owned and should land. It directly protects replay and audit integrity.
---
## F8 — BUG / high: `ContextPacketProof` cannot use boolean membership proof
### Finding
A boolean such as `membership_eligibility_checked: true` does not prove that each injected membership edge was eligible. It does not identify the edge, lifecycle state, policy generation, gate owner, or reason codes.
### Required replacement grammar
```ts
type MembershipLifecycleState =
| 'candidate'
| 'active'
| 'blocked'
| 'removed'
| 'stale'
| 'suppressed'
| 'archived';
interface MembershipEligibilityProof {
membership_edge_ref: MemoryMembershipEdgeRef;
lifecycle_state: MembershipLifecycleState;
injection_eligible: boolean;
gate_owner: 'DOC87' | 'DOC84';
policy_generation_id: PolicyGenerationId;
reason_codes: ReasonCodeId[];
}
```
E0 should require `ContextPacketProof` to reference edge-level membership eligibility results, but Stage 7 may write the final field-level body.
### Required lints
```text
proof.membership_eligibility_boolean_only
proof.injected_membership_without_edge_level_result
proof.injected_membership_lifecycle_not_active
proof.injected_membership_missing_reason_codes
```
### Final settled recommendation
Treat the boolean as a bug. Require edge-level proof semantics.
---
## F9 — GAP / high: `MemoryContextPlan` needs per-product request/disposition grammar
### Finding
A plan-level list of requested product kinds is too coarse. The system needs to know which product was requested, why, with what priority, what fallback/degradation was allowed, and whether a `must_include` product was silently dropped.
### Scope correction
E0 should own the request/disposition grammar. DOC84 should own runtime outcome records and assembly details.
### Required E0 grammar
```ts
type ContextProductDisposition =
| 'assembled'
| 'degraded'
| 'blocked'
| 'suppressed_manifest_only'
| 'not_found';
interface MemoryContextProductRequest {
request_id: string;
kind: ContextProductKind;
purpose:
| 'answer'
| 'orientation'
| 'constraint'
| 'source_support'
| 'search_affordance'
| 'warning'
| 'carryover';
priority: 'must_include' | 'high' | 'normal' | 'low';
allowed_dispositions: ContextProductDisposition[];
max_budget_band: 'xs' | 's' | 'm' | 'l';
fallback_kind?: ContextProductKind;
required_proofs: ProofRequirement[];
}
```
### Required lints
```text
context_plan.must_include_product_silently_dropped
context_plan.blocked_product_missing_reason_code
context_plan.fallback_kind_not_in_registry
context_plan.required_proof_missing_for_product
```
### Final settled recommendation
Do not put runtime outcomes inside E0’s plan body. E0 defines request/disposition grammar; DOC84 records outcomes.
---
## F10 — BUG / high: ContextProduct determinism must name learned weights as inputs
### Finding
The draft’s deterministic claim — that a context product is a pure function of named inputs — conflicts with learned shell reweighting or utility-based ranking unless those learned weights are themselves named inputs.
### Required invariant
```text
Any learned weighting, ranking, utility bundle, shell-weight generation, policy bundle,
or model version that affects packet assembly or ContextProduct selection must be a named
input to the deterministic product instance ID.
```
### Recommended input spine
```text
context_product_instance_id = pure function of:
- request input
- policy_generation_id
- context_product_registry_version
- memory_context_plan_version
- prompt_shell_variant_id
- shell_weight_generation_id
- utility_bundle_generation_id
- source generation IDs
- membership generation IDs
- budget profile ID
- domain_profile_id
```
### Required lint
```text
determinism.learned_weight_not_named_input
```
### Final settled recommendation
Add this. It is a subtle but serious reproducibility bug.
---
## F11 — GAP / medium-high: `PromptShellExposure` and `PromptShellLearningContract` need E0 reference hooks
### Finding
Prompt shell learning cannot depend only on `PromptShellVariant` identity and cache eligibility. It needs an exposure-level hook showing which shell variant reached final prompt, whether it was trimmed, and whether learning may attach.
### Required NAMED-only hooks
```md
### PromptShellExposure — NAMED-only E0 hook
Owner:
- DOC84 / DOC11 own execution and final-prompt realization.
- E0 owns the reference hook and learning invariant.
Required downstream body to account for:
- shell_variant_ref
- final_prompt_truth_ref
- rendered_span_refs
- trimmed_span_refs
- policy_generation_id
- utility_attribution_allowed
- reason_codes
```
```md
### PromptShellLearningContract — E0 invariant
- final_prompt_truth_required: true
- trimmed_span_ineligible_for_learning: true
- retired_shell_variant_ineligible_for_new_learning: true
- policy_variant_learning_requires_policy_generation: true
```
### Required lints
```text
prompt_shell.learning_without_exposure
prompt_shell.learning_from_trimmed_span
prompt_shell.learning_from_retired_variant
prompt_shell.policy_variant_learning_missing_policy_generation
```
### Final settled recommendation
Name the hooks and lints. Do not draft full execution bodies in E0.
---
## F12 — GAP / medium-high: `WarrantDegradationTriggerRegistry` needs payload/lifecycle mechanics and static-fact carveouts
### Finding
The trigger registry cannot be only a list of names. Each trigger needs payload shape, producer ownership, consumer ownership, lifecycle state, and new-trigger admission rule. Additionally, warrant degradation must not erode static facts, user-locked memories, authority-fixed content, or other fixed fields.
### Required registry entry
```ts
type WarrantDegradationTriggerKind = Brand<string, 'WarrantDegradationTriggerKind'>;
interface WarrantDegradationTriggerRegistryEntry {
trigger_kind: WarrantDegradationTriggerKind;
registry_owner: 'DOC80';
semantic_owner: OwnerDocId;
allowed_producers: OwnerDocId[];
allowed_consumers: OwnerDocId[];
payload_schema_ref: string; // JsonSchemaRef in Stage 7
lifecycle_state: 'candidate' | 'active' | 'deprecated' | 'retired';
introduced_in: string; // SchemaVersionRef convention
deprecated_in?: string;
retired_in?: string;
replacement_trigger_kind?: WarrantDegradationTriggerKind;
default_reason_code: ReasonCodeId;
}
```
### Required carveout rule
```text
Warrant degradation must exempt or specially handle:
- user-asserted durable facts;
- authority-fixed content;
- static facts;
- legal citations / dates / named entities where the profile marks the field fixed;
- user-locked memories;
- fields marked fixed within otherwise living memory.
```
### Required lints
```text
warrant_trigger.kind_not_registered
warrant_trigger.payload_schema_missing
warrant_trigger.producer_not_allowed
warrant_trigger.retired_trigger_emitted
warrant_trigger.new_trigger_without_adq
warrant_degradation.authority_fixed_fact_degraded
warrant_degradation.static_fact_degraded
warrant_degradation.user_locked_memory_degraded
warrant_degradation.fixed_field_degraded
```
### Final settled recommendation
Add registry mechanics and static/fixed carveouts. This directly protects the “living memory erodes static facts” failure mode.
---
## F13 — BUG / medium-high: `RenderSafetyCheckRegistry` cannot be provisional if render safety is mandatory
### Finding
E0 can require render safety proof, but the check vocabulary cannot be “proposed” while downstream render contracts depend on it. Either E0 defines the registry now or marks E8 blocked until the registry is defined.
### Required registry shape
```ts
type RenderSafetyCheckKind =
| 'policy_generation_current'
| 'membership_eligible'
| 'source_not_revoked'
| 'domain_profile_allowed'
| 'final_prompt_truth_bound'
| 'context_product_kind_allowed'
| 'prompt_shell_variant_active';
interface RenderSafetyCheckRegistryEntry {
check_kind: RenderSafetyCheckKind;
registry_owner: 'DOC80';
execution_owner: 'DOC84';
required_for_render: boolean;
failure_blocks_render: boolean;
payload_schema_ref: string; // Stage 7 JSON Schema ref
negative_fixture_ref: string; // Stage 8 fixture handoff
}
```
### Required lint
```text
render_safety.provisional_check_used_as_required_contract
```
### Final settled recommendation
Make the registry canonical or explicitly block E8. Do not leave mandatory checks provisional.
---
## F14 — BUG / medium-high: `RenderSafetyProof` contract vs execution body must be separated
### Finding
E0 owns the render-safety contract. DOC84 owns execution. The draft should mechanically separate those layers.
### Required E0 contract
```ts
interface RenderSafetyProofContract {
contract_id: 'doc80.render_safety_proof_contract';
schema_owner: 'DOC80';
execution_schema_owner: 'DOC84';
finalizer: 'DOC11';
required_check_registry_ref: string;
fail_closed: true;
render_blocked_when_required_check_fails: true;
final_prompt_truth_required_for_executed_prompt_render: true;
}
interface RenderSafetyProofInstanceRequirements {
must_name_context_packet_proof: true;
must_name_policy_generation_id: true;
must_report_each_required_check: true;
fail_blocks_render: true;
}
```
### Required lints
```text
render_safety.executed_body_defined_in_doc80
render_safety.required_check_missing
render_safety.failed_check_did_not_block_render
render_safety.final_prompt_truth_missing_for_executed_prompt_render
```
### Final settled recommendation
E0 defines the requirements. DOC84 defines the executed proof body.
---
## F15 — GAP / medium-high: ReasonCode registry needs collision-proof namespace mechanics and producer drift correction
### Finding
ReasonCode will become ubiquitous. Loose namespace strings are not enough. E0 also needs to resolve producer drift: DOC8 should not quietly remain an active runtime producer if it is capability-mining-only; DOC25 should not be added as a producer without source or architect decision.
### Required registry mechanics
```ts
type ReasonCodeNamespace = Brand<string, 'ReasonCodeNamespace'>;
type ReasonCodeNamespaceState =
| 'reserved'
| 'active'
| 'deprecated'
| 'retired'
| 'legacy_reserved';
interface ReasonCodeNamespaceAllocation {
namespace: ReasonCodeNamespace;
pattern: '^[A-Z][A-Z0-9_]{1,31}$';
owner_doc: OwnerDocId;
state: ReasonCodeNamespaceState;
allocated_in: string; // SchemaVersionRef convention
deprecated_in?: string;
retired_in?: string;
replacement_namespace?: ReasonCodeNamespace;
legacy_allowed_only?: boolean;
}
interface ReasonCodeRegistryEntry {
reason_code_id: ReasonCodeId;
namespace: ReasonCodeNamespace;
local_name: string;
pattern: '^[A-Z][A-Z0-9_]{1,63}$';
owner_doc: OwnerDocId;
lifecycle_state: 'active' | 'deprecated' | 'retired';
description: string;
introduced_in: string;
deprecated_in?: string;
retired_in?: string;
replacement_reason_code_id?: ReasonCodeId;
}
```
### Required DOC8 / DOC25 producer decisions
```text
DOC8 must be explicitly classified as one of:
A. removed from active ReasonCode producers; or
B. legacy_reserved only, incapable of emitting new runtime ReasonCodes.
DOC25 must be explicitly classified as one of:
A. source-cited active ReasonCode producer;
B. downstream consumer only; or
C. newly elevated producer by architect decision.
```
### Required lints
```text
reason_code.namespace_unallocated
reason_code.namespace_collision
reason_code.namespace_state_legacy_emitted_runtime_code
reason_code.retired_code_emitted
reason_code.deprecated_code_missing_replacement
reason_code.case_pattern_violation
reason_code.producer_not_source_supported
```
### Final settled recommendation
Land full namespace mechanics in E0. Resolve both DOC8 and DOC25 producer status explicitly.
---
## F16 — GAP / medium-high: DomainProfile fallback needs per-axis conservative meet
### Finding
A scalar `restrictiveness_rank` cannot represent a profile that is strict on export, loose on rendering, strict on retention, and different on learning. E0 should own the registry and fallback rule; DOC81 owns policy-axis definitions and action-specific allow/block semantics.
### Required E0 rule
```text
effective_profile = per-axis most restrictive applicable profile.
If a profile is missing, unknown, stale, or incomparable on any axis,
that axis resolves to conservative.
If an action touches multiple axes, the action is allowed only if every axis allows it.
```
### Required handoff to DOC81
```text
DOC81 owns:
- exact axis vocabulary;
- action-specific allow/block semantics;
- policy-plane interpretation of each axis.
E0 owns:
- DomainProfile registry;
- profile lookup/fallback rule;
- missing/unknown/incomparable → conservative;
- lint names.
```
### Required lints
```text
domain_profile.scalar_rank_used
domain_profile.missing_conservative_fallback
domain_profile.incomparable_axis_without_fail_closed
domain_profile.unknown_profile_did_not_resolve_conservative
```
### Final settled recommendation
Adopt per-axis conservative meet, but do not pull DOC81 policy-axis bodies into E0.
---
## F17 — GAP / medium-high: `ExternalDependencyRecord` needs reproducible pinning fields
### Finding
The record must be reproducibly pinned. `content_hash` without algorithm and source pin is not enough.
### Required minimum fields
```ts
interface ExternalDependencyRecordMinimum {
repo_path: string;
git_commit_sha: string;
source_line_ranges: string[];
content_hash: string;
hash_algorithm: 'sha256';
last_verified_at?: string; // optional, not required
}
```
### Required lints
```text
external_dependency.hash_algorithm_missing
external_dependency.commit_sha_missing
external_dependency.line_pin_missing
external_dependency.phantom_marked_runtime_import
external_dependency.moving_dependency_without_drift_response
```
### Final settled recommendation
Add commit SHA, SHA-256, and line pins. Keep human-verifier fields optional.
---
## F18 — GAP / medium-high: `MemoryCoordinationTrace` needs turn/session correlation
### Finding
Without `session_ref`, `turn_id`, and request correlation, DOC86 Inspector cannot stitch together all memory/proof/render events caused by one user turn.
### Required E0 fields
```ts
type SessionRef = Brand<string, 'SessionRef'>;
type TurnId = Brand<string, 'TurnId'>;
type RequestCorrelationId = Brand<string, 'RequestCorrelationId'>;
interface MemoryCoordinationTraceCorrelationFields {
session_ref: SessionRef;
turn_id: TurnId;
request_correlation_id: RequestCorrelationId;
parent_trace_ref?: MemoryCoordinationTraceRef;
}
```
### Optional Stage 7 / observability handoff
```text
Stage 7 / observability bodies may add span-level details:
- span_id
- parent_span_id
- span_kind
- actor_ref
- run_ref
- started_at / ended_at
- outcome
- redaction_class
- linked_proof_refs
```
### Required lints
```text
trace.session_ref_missing
trace.turn_id_missing
trace.request_correlation_missing
trace.durable_effect_without_trace_correlation
```
### Final settled recommendation
The correlation fields are E0-owned. Full span telemetry can be Stage 7 / observability detail.
---
## F19 — GAP / medium-high: `MemoryMutationEnvelope` Stage 7 handoff needs event-sourcing vocabulary
### Finding
E0 is correct to defer the full MME schema body to Stage 7, but the handoff must name the minimum event-sourcing vocabulary Stage 7 must implement.
### Required Stage 7 handoff checklist
```text
event_type
aggregate_ref
idempotency_key
causation_id
correlation_id
actor_ref
transaction_time
valid_time_if_applicable
policy_generation_id
proof_refs
reason_codes
replay_order
migration_metadata
```
### Required lints
```text
mme.idempotency_key_missing
mme.causation_id_missing
mme.correlation_id_missing
mme.policy_generation_missing_for_policy_sensitive_write
mme.proof_ref_missing_for_gated_effect
mme.replay_order_missing
```
### Final settled recommendation
Do not write the full MME body in E0. Add handoff requirements and lints.
---
## F20 — GAP / medium-high: `MemoryProvenanceGraph` Stage 7 handoff needs node/edge vocabulary
### Finding
E0 correctly keeps MemoryProvenanceGraph named-only for Stage 7, but the handoff is too weak without minimum node/edge/proof/redaction requirements.
### Required Stage 7 handoff
```ts
type ProvenanceNodeKind =
| 'source_artifact'
| 'source_segment'
| 'extraction_candidate'
| 'assertion'
| 'assertion_variant'
| 'membership_edge'
| 'context_product_instance'
| 'prompt_span'
| 'learning_signal'
| 'mutation_envelope'
| 'proof_artifact';
type ProvenanceEdgeKind =
| 'derived_from'
| 'supports'
| 'contradicts'
| 'rendered_into'
| 'learned_from'
| 'invalidated_by'
| 'superseded_by'
| 'restamped_by'
| 'gated_by_proof';
```
Required requirements:
```text
node_kind_registry_required
edge_kind_registry_required
proof_attachment_required_for_gated_edges
redaction_policy_required
retention_policy_required
revoked_source_cascade_edges_required
```
### Required lints
```text
provenance.node_kind_unknown
provenance.edge_kind_unknown
provenance.gated_edge_missing_proof_ref
provenance.revoked_source_without_invalidating_edges
provenance.redaction_policy_missing
```
### Final settled recommendation
Do not write the graph body in E0. Add the Stage 7 handoff vocabulary.
---
## F21 — GAP / medium-high: ECSeamContract must explicitly mirror all required responsibilities
### Finding
The EC seam should explicitly state read-model refresh and no non-EC durable writer, in addition to durable writes, command execution, policy/scope execution, membership writes, learning write-back, source revocation, audit/replay, transaction ordering, and compare-and-swap.
### Required contract
```ts
interface ECSeamContract {
contract_id: 'doc80.ec_seam_contract';
schema_owner: 'DOC80';
executor: 'EC';
owns_durable_writes: true;
owns_command_execution: true;
owns_policy_scope_execution: true;
owns_membership_writes: true;
owns_learning_writeback: true;
owns_source_revocation_execution: true;
owns_audit_replay: true;
owns_transaction_ordering: true;
owns_compare_and_swap: true;
owns_read_model_refresh: true;
non_ec_durable_writers_forbidden: true;
}
```
### Required lints
```text
ec.non_ec_durable_writer_detected
ec.read_model_refresh_without_ec_receipt
ec.cas_missing_for_generation_sensitive_write
ec.policy_regate_not_executed_by_ec
```
### Final settled recommendation
Make this explicit. Do not rely on implied doctrine.
---
## F22 — GAP / medium: bitemporal carrier split should be explicit
### Finding
Do not collapse all bitemporal semantics into MME. MME records mutation/replay/order timing for EC durable effects. DOC82-owned Assertion / AssertionVariant / EvidenceSupportEdge retain their domain-valid and transaction-time axes.
### Required text
```md
DOC80 does not make MemoryMutationEnvelope the only bitemporal carrier.
MME records mutation/replay/order timing for EC durable effects. DOC82-owned
assertion/evidence objects retain their own domain-valid and transaction-time axes.
E0 requires the two to be linkable but not collapsed.
```
### Required lints
```text
assertion.bitemporal_axes_missing_transaction_time
assertion.bitemporal_axes_missing_valid_time
memory_mutation_envelope.transaction_time_missing
memory_mutation_envelope.valid_time_used_as_replay_order
```
### Final settled recommendation
Make the split explicit to prevent Stage 7 collapse.
---
## F23 — GAP / medium: schema-version convention belongs in E0
### Finding
E0 should not define a full migration subsystem, but it should set a durable record convention.
### Required convention
```text
- Durable records include schema_version.
- Breaking schema changes require a named migration plan.
- Stage 7 owns the migration-plan schema body.
- Timestamps use RFC3339 / ISO-8601 UTC strings.
- Hashes use sha256 unless otherwise stated.
- IDs are branded strings with schema-specific prefixes.
- JSON fields use snake_case.
- TypeScript interfaces use PascalCase.
- Enums use lowercase snake_case unless source-canonical enum differs.
```
### Required lints
```text
schema.version_missing
schema.migration_plan_required_for_breaking_change
schema.timestamp_not_rfc3339_utc
schema.hash_algorithm_missing
```
### Final settled recommendation
Add convention only. Do not build `MemorySchemaMigrationPlan` in E0.
---
## F24 — GAP / medium: Stage 5R2b lint names must be preserved
### Finding
Several Stage 5R2b lints are conceptually present but not preserved as names. Do not rely on “covered in spirit.”
### Required lint names
```text
adapter.activated_without_convergence_plan
adapter.permanent_activation_without_architect_blessing
cu_doc73.divergence_unresolved_after_charter
supersession.import_graph_object_without_matrix_row
assertion.bitemporal_axes_missing_transaction_time
assertion.bitemporal_axes_missing_valid_time
monotonicity.membership_addition_violates_scope_monotone
monotonicity.policy_tighten_violates_access_monotone
monotonicity.source_revocation_violates_consumer_monotone
monotonicity.learning_violates_warrant_monotone
```
### Final settled recommendation
Add a Stage 5R2b lint preservation subsection. Stage 9 implements; E0 names.
---
## F25 — GAP / medium: lifecycle / erasure vocabulary should not reopen a lifecycle engine
### Finding
A prior recommendation to add a full lifecycle state machine was over-scoped and risks reopening a collapsed DOC88/lifecycle-engine decision. The gap is real only as vocabulary collapse prevention.
### Required E0 sentence
```md
Retired, stale, suppressed, reference-only, archived, revoked, tombstoned, and hard-deleted are not synonyms. E0 does not create a lifecycle engine, but downstream contracts must not treat non-erasure states as erased.
```
### Required lints
```text
lifecycle.retired_treated_as_erased
lifecycle.suppressed_treated_as_erased
lifecycle.reference_only_treated_as_erased
lifecycle.archived_treated_as_erased
lifecycle.stale_treated_as_erased
lifecycle.revoked_treated_as_hard_deleted
lifecycle.legal_hold_bypassed_for_deletion
```
### Final settled recommendation
Keep the lints. Reject a full E0 lifecycle state machine.
---
## F26 — GAP / medium: object classification table needs expansion
### Finding
If the memory-object classification table is the Stage 7 anti-phantom index, it needs more rows/classes.
### Required additions
```text
ContextPacketProof
RenderSafetyProof
MemoryFlowCertificate
MemoryCoordinationTrace
MemoryMutationEnvelope
MemoryProvenanceGraph
PromptShellVariant
PromptShellExposure
FinalPromptTruthRef
SemanticProjectionContract
DeliveryProjection
UIProjection
OrganizationProjection
KnowledgeProjection
SourceBoundSynthesisAdapter
VersionedClaim_to_AssertionVariant_Lineage_Table
WarrantEvaluationResult
WarrantConsequenceRegistry
IngestionCostBudget
MemoryPlaneHealthReadModel
MemoryOperationQuota
ExternalDependencyRecord
ContextProductDecision
ContextProductInstanceId
```
### Required new column
```text
audit_replay_class =
canonical
durable_audit
derived
transient
external_ref
named_only
```
### Final settled recommendation
Expand the table. It is the Stage 7 anti-phantom index.
---
## F27 — GAP / medium: health, quota, compute budget, and background yield need operational fields
### Finding
Health and quota should not be dashboard-shaped only. Background-yield behavior cannot be a boolean in a single-threaded Node/OpenClaw runtime without an actual strategy.
### Required health fields
```ts
interface MemoryPlaneHealthCounter {
signal: string;
contributing_member: OwnerDocId;
value: number | Record<string, number>;
measurement_window: string;
generated_at: string;
last_successful_refresh_at: string;
freshness_status: 'fresh' | 'stale' | 'failed';
severity: 'info' | 'warning' | 'degraded' | 'blocked';
source_trace_refs: MemoryCoordinationTraceRef[];
quota_bound_ref?: string;
}
```
### Required quota/compute rows
Seed quota candidates:
```text
max_proof_artifacts_per_request
max_context_products_per_packet
max_trace_spans_per_request
max_provenance_fanout_per_mutation
max_domain_profile_batch_size
max_render_replan_attempts
max_migration_replay_batch
max_source_parse_jobs_per_window
max_learning_replay_per_window
max_review_queue_backlog
max_topic_future_watch_runs
```
Compute budget class:
```ts
type ComputeCostClass =
| 'hot_path'
| 'background_immediate'
| 'background_deferred'
| 'nightly_batch'
| 'manual_review'
| 'migration_replay';
```
Background execution strategy:
```ts
type BackgroundExecutionStrategy =
| 'cooperative_chunking'
| 'worker_thread'
| 'child_process'
| 'deferred_queue_only';
interface BackgroundYieldContract {
background_execution_strategy: BackgroundExecutionStrategy;
max_chunk_ms?: number;
yield_checkpoint_required: boolean;
hot_path_preemption_supported: boolean;
cancellation_checkpoint_required: boolean;
}
```
### Required lints
```text
health.counter_window_missing
health.counter_stale_without_status
health.counter_source_trace_missing
quota.unit_missing
quota.window_missing
quota.default_missing
quota.enforcement_owner_missing
quota.resume_policy_missing
compute_budget.cost_class_missing
compute_budget.enforcement_owner_missing
compute_budget.exhaustion_behavior_missing
quota.background_yield_boolean_without_runtime_strategy
```
### Final settled recommendation
Make these operational enough to implement. Avoid booleans that do not map to runtime mechanics.
---
## F28 — GAP / medium: embedding provenance needs generation/comparability semantics
### Finding
Embedding provenance is directionally present but needs model-ref and generation comparison semantics.
### Required fields
```ts
type EmbeddingModelRef = Brand<string, 'EmbeddingModelRef'>;
type EmbeddingGenerationId = Brand<string, 'EmbeddingGenerationId'>;
interface EmbeddingProvenanceFields {
embedding_model_ref: EmbeddingModelRef;
embedding_generation_id: EmbeddingGenerationId;
embedding_dimension: number;
embedding_provider: 'mlx' | 'ollama' | 'openai' | 'other';
generated_at: string;
source_content_hash: string;
comparable_with_generation_ids: EmbeddingGenerationId[];
}
```
### Required lints
```text
embedding.model_ref_missing
embedding.generation_id_missing
embedding.dimension_mismatch
embedding.source_hash_missing
embedding.compared_across_incompatible_generation
```
### Final settled recommendation
Add minimal provenance conventions so migrations and stale-vector detection are implementable.
---
## F29 — BUG / low-medium: §17.2 mislabels Skeletal §10.7
### Finding
The draft’s §17.2 reportedly maps Skeletal §10.7 as “Proof spine → §4,” but the item is the DOC82↔DOC83 disposition seam and lands at §12.
### Required patch
```text
Correct §17.2 source mapping:
Skeletal §10.7 = DOC82↔DOC83 disposition seam → §12.
Not: Proof spine → §4.
```
### Final settled recommendation
Fix the mapping to avoid traceability drift.
---
## F30 — GAP / medium: debug/dev-mode contract should be named, but not overbuilt
### Finding
For an inspectable local-first system, dev/debug mode must be real, policy-gated, and non-canonical. But a full debug subsystem is not E0’s job.
### Required E0 rule
```md
Debug/dev artifacts may support inspection and fixtures, but they cannot become canonical memory, learning evidence, or durable truth unless separately admitted through normal proof gates.
```
### Required fields to name for downstream body
```text
scope
redaction_policy_ref
expiration_at
export_allowed
learning_allowed = false unless admitted through normal proof gates
```
### Required lints
```text
debug.envelope_missing_scope
debug.learning_enabled_from_debug_trace
debug.export_allowed_without_redaction_policy
debug.raw_prompt_capture_without_expiration
```
### Final settled recommendation
Name the safety rule and lints. Do not build a full debug mode schema in E0.
---
## F31 — GAP / medium: ABC §21 object-placement dispositions need a complete table
### Required table
| Object | Recommended owner | E0 action |
|---|---|---|
| `WarrantEvaluationResult` | DOC82 | Downstream-owned; E0 may reference in proof/warrant seams. |
| `WarrantConsequenceRegistry` | DOC82 primary | DOC80 registry hook only if cross-plane consequences are elevated. |
| `DomainProfileWarrantPolicy` | DOC82 / DOC81 seam, with DOC80 DomainProfile registry | Downstream policy body; E0 owns profile registry/fallback mechanics. |
| `IngestionCostBudget` | DOC25 primary | Declared against DOC80 quota envelope. |
| `PromptShellExposure` | E0 reference hook + DOC84/DOC11 execution refs | Add E0 reference hook because learning/final-prompt truth depends on it. |
| `PromotionGateRecord` | DOC83 / DOC1 / EC seam | E0 records gate requirement; downstream owns body. |
| `ConsideredItemLedger` | DOC84 or DOC85 depending on use | Delivery-selection evidence = DOC84; utility/learning evidence = DOC85; E0 requires final-prompt truth before learning. |
### Final settled recommendation
Add the table. Do not let ABC §21 items remain implicit.
---
## F32 — GAP / medium: cross-charter gate table is needed
### Required table
```md
## §17B. Cross-Charter Gate Table
| Gate ID | Gate Name | Source | Blocked Charter(s) | Required Before | Owner | E0 Action | Blocking Status |
|---|---|---|---|---|---|---|---|
```
Minimum rows:
```text
DOC15 context-budget import check → E7/E8 and possibly E9/E10
DOC26 citation validation check → E10 / ADQ-202-dependent library seam
SourceBoundSynthesisAdapter convergence → E3/E4
DOC85 two-phase BDSM coordination → E9
Library decomposition ADQ-202 gate → E4, E_org, E10
TopicIdentityContract stub → E5 before TopicCollectionDirective
ContextProductKind conflict → E7/E8
FinalPromptTruthRef → E8/E9
SourceRevocationCascadeContract → E3/E4/E7/E8/E9/E10
SemanticProjectionContract → E3/E7/E8/E10
F-struct #3/#4 shared-runtime vocabulary → E7/E8 until architect decision
```
### Final settled recommendation
Downstream charters need visible “do not proceed until X” gates.
---
## F33 — GAP / medium: invariant enforcement table should map runtime gate + lint + fixture
### Required table shape
```md
| Invariant | Runtime Gate | Stage 9 Lint | Stage 8 Negative Fixture Handoff | Owner | Blocking Status |
|---|---|---|---|---|---|
```
### Minimum invariants
```text
no_non_ec_durable_writer
no_learning_without_final_prompt_truth
no_render_without_context_packet_proof
no_final_prompt_render_without_final_prompt_truth
no_render_without_render_safety_proof
no_render_without_memory_flow_certificate
no_removed_membership_injection
no_projection_as_truth
no_source_revocation_without_cascade
no_schema_break_without_migration_plan
no_unregistered_reason_code
no_unknown_domain_profile_without_conservative_fallback
```
### Final settled recommendation
An invariant without a runtime gate and negative-fixture handoff is only documentation.
---
## F34 — BUG / high: §18 golden scenario is referenced but missing or underdeveloped
### Finding
E0 should contain a real §18 fixture taxonomy and golden-scenario anchor, not a phantom reference.
### Required section
```md
## §18. Fixture Taxonomy and End-to-End Golden Scenario Anchor
```
### Fixture taxonomy names only
```text
contract_fixture
negative_contract_fixture
cross_charter_integration_fixture
policy_change_fixture
source_revocation_fixture
replay_fixture
migration_fixture
final_prompt_truth_fixture
learning_attribution_fixture
golden_scenario_fixture
```
### Golden scenario order
```text
1. User request or source observation
2. Policy preflight
3. Extraction admission
4. Source preparation / materialization
5. Candidate emission
6. Canonical resolution
7. Membership assignment
8. Policy re-check
9. Context product planning
10. Packet assembly
11. Rendering
12. Final prompt proof
13. Learning eligibility
14. UI / Inspector read-model update
15. Replay / audit verification
```
### Negative fixture handoffs
```text
fixture.golden.learning_credit_without_final_prompt_truth_fails
fixture.golden.revoked_source_invalidates_support_membership_delivery_learning_ui
fixture.golden.removed_membership_cannot_inject
fixture.golden.non_ec_write_detected
fixture.golden.context_product_kind_unknown_blocks_assembly
fixture.golden.learned_weight_missing_from_deterministic_input_fails
fixture.golden.contrary_source_revocation_recomputes_net_warrant
```
### Final settled recommendation
Add §18. Do not build Stage 8 fixture manifests in E0.
---
## F35 — BUG / medium: source-pack drift and ADQ normalization must be patched concretely
### Source basis
Verify against Stage 6 Charter Input Index, E0 Input Deck, Opening Brief, ADQ Queue, Owner Map, Retired Names, Supersession Matrix, E0 Red-Team prompt, RUN_STATE, E0 README / Opening Brief, and root/commission prompt references.
### Concrete drift examples to check and patch
```text
- Stage 6 Charter Input Index omits ADQ-313 from E0 while Input Deck and Opening Brief require DomainProfile registry.
- Owner Map still has CognitiveDiff + Resume card residue after ResumeProjection / ResumeCard demotion.
- ReasonCode producer list includes DOC8 without legacy-reserved explanation.
- E0 draft appears to add DOC25 as ReasonCode producer without source support.
- E0 red-team prompt points to stale Stage 5R synthesis path.
- RUN_STATE or other state files may say Stage 6 is blocked while E0 materials are active.
- E0 README / Opening Brief may still say drafting approach TBD despite commission/draft/review artifacts existing.
- E0 Index / Input Deck / Opening Brief may disagree on ADQ-207, ADQ-312, ADQ-313.
- Root CLAUDE.md reference in commission prompt should be removed or corrected if file does not exist.
```
### Concrete ADQ normalization requirement
Normalize E0 ADQ pinning across Stage 6 Index, E0 Input Deck, E0 Opening Brief, ADQ Queue, and `Charter_Draft.md`.
Minimum expected E0 ADQ set:
```text
ADQ-203
ADQ-207
ADQ-208
ADQ-210
ADQ-211
ADQ-310
ADQ-312
ADQ-313
ADQ-403
ADQ-404
```
If any of these are not treated as strictly `pinned_to_E0`, split the source tables into explicit categories:
```text
pinned_to_E0
consumed_by_E0
downstream_dependency
```
Do not leave ADQ-207, ADQ-312, or ADQ-313 as implicit or inconsistent dependencies.
### Files to sweep
```text
Memory Rebuild Docs/Stage_6_Charters/E0_DOC80_Core/Charter_Input_Deck.md
Memory Rebuild Docs/Stage_6_Charters/E0_DOC80_Core/Charter_Opening_Brief.md
Memory Rebuild Docs/Stage_6_Charters/E0_DOC80_Core/E0_Red_Team_Review_Prompt.md
Memory Rebuild Docs/Stage_6_Charters/STAGE_6_CHARTER_INPUT_INDEX.md
Memory Rebuild Docs/DOC80 Target Baseline/Owner Map/DOC80_Owner_Map.md
Memory Rebuild Docs/DOC80 Target Baseline/Import Graph/DOC80_Import_Graph.md
Memory Rebuild Docs/DOC80 Target Baseline/Retired Names/DOC80_Retired_Names.md
Memory Rebuild Docs/Flattening/Supersession Matrix/Supersession_Matrix.md
Memory Rebuild Docs/Flattening/Architect Decision Queue/Architect_Decision_Queue.md
Memory Rebuild Docs/Flattening/Execution Ledger/Master/RUN_STATE.md
```
### Final settled recommendation
Run the drift sweep before red-team closure. Source-pack inconsistency is a foundational reliability problem.
---
## F36 — GAP / medium: AC-004 and AC-005 posture should be hard-gated
### AC-004
```text
AC-004 completion = schema + owner boundary + positive fixture + negative fixture + Stage 9 lint.
```
Do not downgrade AC-004 to merely schema plus owner boundary.
### AC-005
```text
AC-005 cannot close independently in E0. It is dependency-gated on ADQ-202,
ECSeamContract, DOC25 materialization/source-binding contracts, and DOC82 source/evidence semantics.
```
### Final settled recommendation
Acceptance criteria must be executable gates, not labels.
---
## F37 — GAP / medium: role-based readiness checks should be explicit
### Stage 7 schema-body author must not have to invent
```text
- ContextProductKind canonical registry
- ContextProduct payload-owner map
- MemoryFlowCertificate variants
- MME event-sourcing vocabulary
- MemoryProvenanceGraph node/edge vocabulary
- schema versioning / migration convention
- branded ID and timestamp conventions
```
### Stage 8 fixture author must not have to invent
```text
- fixture taxonomy
- negative fixture expectations
- final-prompt truth failure cases
- source revocation cascade fixture
- replay-completeness fixture
- policy-change and migration fixtures
- expected lints for each fixture
```
### Stage 9 lint author must not have to invent
```text
- lint naming convention
- severity model
- suppression policy decision
- target artifact types
- runtime-gate mapping
- full Stage 5R2b lint family
```
### Final settled recommendation
Add this as an appendix or readiness section.
---
## F38 — GAP / medium: F-struct #3/#4 shared-runtime vocabulary needs an architect decision row
### Finding
The preservation matrix and gate table mention F-struct #3/#4 and shared-runtime vocabulary, but the review must say what E0 should do with that seam. The risk is that DOC84/E7/E8 or another downstream charter invents its own runtime vocabulary if E0 leaves the seam as an unowned reference.
### Required E0 action
Add an architect-decision row in §17A and a gate row in §17B.
Allowed dispositions:
```text
A. E0 owns the shared runtime vocabulary grammar.
B. E0 names the vocabulary only; member charters define bodies.
C. A downstream owner owns the vocabulary; E0 records dependency and gate.
```
Required decision row:
```md
| F-STRUCT-3-4 | Shared runtime vocabulary seam | F-struct source / Stage 5R2b preservation | Decide whether DOC80 §4 owns shared runtime vocabulary grammar or only names downstream dependency | Architect decision required | §4 / §17A / §17B | runtime_vocab.owner_missing | Stage 8 handoff only | E7/E8 cannot invent private runtime vocabulary | BLOCKING_UNTIL_DECIDED | |
```
### Required lints
```text
runtime_vocab.owner_missing
runtime_vocab.downstream_private_vocabulary_without_e0_gate
```
### Final settled recommendation
Do not silently absorb or ignore F-struct #3/#4. Make it an explicit architect decision.
---
## F39 — GAP / medium: lightweight lint/fixture naming convention should land in E0
### Finding
The earlier full lint-registry and fixture-manifest schemas were over-scoped for E0. But cutting those bodies should not leave Stage 8 and Stage 9 without any common naming grammar.
### Required E0 addition
```md
### Lint naming convention
Format:
`<domain>.<failure_condition>`
Examples of domains:
`proof`, `render`, `learning`, `revocation`, `projection`, `schema`, `quota`, `trace`, `context_product`, `reason_code`, `domain_profile`, `ec`, `lifecycle`.
Rule:
Error lints must have at least one Stage 8 negative-fixture handoff.
### Fixture naming convention
Format:
`fixture.<domain>.<scenario>.<expected_result>`
Fixture kinds named by E0:
- positive_contract
- negative_contract
- cross_charter
- replay
- migration
- policy_change
- source_revocation
- final_prompt_truth
- learning_attribution
- golden_scenario
Ownership:
- Stage 8 owns fixture manifests and fixture bodies.
- Stage 9 owns lint registry implementation and execution mechanics.
- E0 owns only the naming grammar and required handoff expectation.
```
### Final settled recommendation
Keep the convention; do not reintroduce full Stage 8/9 meta-schemas into E0.
---
## F40 — GAP / medium: OP-A / SPEC_STATE closure obligations should be explicit
### Finding
E0 review closure is not complete unless the standing state trackers are updated. OP-A is attached to every red-team review and every spec drafting/revision session; the reviewer’s last step is to update OP-A, including absorbed obligations, partials, new gaps, source registry, and maintenance log.
### Required closure checklist additions
```text
[ ] OP-A §6 reviewed for E0/DOC80-family obligations.
[ ] Absorbed obligations moved to OP-A §7 with date, target revision, and verification note.
[ ] Partial obligations updated from MISSING to PARTIAL / EXISTS as appropriate.
[ ] New cross-doc gaps from this review added to OP-A §6.
[ ] OP-A §3 source registry updated for new consulted/folded source documents.
[ ] OP-A §10 maintenance log updated with date, action summary, and reviewer/model.
[ ] SPEC_STATE updated if E0 charter workflow state changed.
[ ] ADDENDA_STATE updated if any addendum/dependency status changed.
```
### Final settled recommendation
Treat OP-A / SPEC_STATE updates as red-team closure requirements, not housekeeping afterthoughts.
---
# 5. T1–T20 Opening Brief coverage appendix
Add a compact appendix so Opening Brief target coverage remains visible.
| Target | Final status | Required action |
|---|---|---|
| T1 Member identity / V5 non-goal / manual deletion | Partial | Preserve; add lifecycle non-equivalence lints without reopening lifecycle engine. |
| T2 ReasonCode registry | Needs hardening | Add namespace mechanics, lifecycle, DOC8/DOC25 disposition. |
| T3 DomainProfile registry | Needs hardening | Replace scalar rank with per-axis conservative meet; fix ADQ-313 drift. |
| T4 ContextProduct | Blocking | Resolve 14 vs 17; split registry vs assembly; add product decision/instance spine. |
| T5 MemoryContextPlan | Needs hardening | Add per-product request/disposition grammar. |
| T6 PromptShellRegistry / Variant / LearningContract | Needs hardening | Add PromptShellExposure hook and learning invariant. |
| T7 MemoryFlowCertificate | Needs hardening | Discriminated union; missing lints. |
| T8 Warrant-degradation-trigger registry | Needs hardening | Add trigger payload/lifecycle/producer rules and fixed-fact carveouts. |
| T9 Proof spine | Needs hardening | Add final-prompt truth hook and proof retention classes. |
| T10 MemoryMutationEnvelope named-only | Needs handoff | Add event-sourcing requirements. |
| T11 MemoryProvenanceGraph named-only | Needs handoff | Add node/edge/proof/redaction requirements. |
| T12 Memory-object classification table | Needs expansion | Add proof/projection/prompt/warrant/quota/dependency/decision rows. |
| T13 Observability / health seam | Needs hardening | Add trace correlation, health windows/freshness/severity. |
| T14 MemoryOperationQuota / scale | Needs hardening | Add units/windows/defaults/seed quotas/background strategy. |
| T15 Embedding-model migration refs | Needs hardening | Add model-ref/generation comparability. |
| T16 ExternalDependencyRecord / EC posture | Needs hardening | Add commit SHA, hash algorithm, line pins. |
| T17 Recovery / replay seam | Needs hardening | Add proof retention/replay classes. |
| T18 Invariant enforcement-point naming | Needs hardening | Runtime gate + lint + fixture handoff for every invariant. |
| T19 AC-004 / AC-005 acceptance posture | Needs hardening | AC-004 = schema+lints+fixtures; AC-005 dependency-gated. |
| T20 ABC §21 normalization-object placement | Needs table | Add full placement table. |
---
# 6. Confirmed strengths to preserve
The review should not become only a deficit list. These strengths should be retained:
```text
1. E0’s architectural direction is sound. The failures are hardening failures, not evidence that the DOC80-family decomposition is wrong.
2. The draft covers the E0 Opening Brief targets at a top level.
3. The Stage 6 / Stage 7 boundary is directionally correct for MemoryMutationEnvelope and MemoryProvenanceGraph.
4. The draft correctly treats MemoryFlowCertificate as mandatory for six privileged flow kinds and preserves the internal-candidate-read exemption; the issue is enforcement shape.
5. The snake_case JSON / PascalCase TypeScript direction is good and should be formalized.
6. AC-004 as schema + lints + fixtures is correct and should not be downgraded.
7. E0 correctly tries to separate DOC80-core contracts from downstream member implementation; the problem is a few blurred seams, not a total ownership failure.
8. The correct final posture is moderate surgical revision, not a global architecture restart.
```
---
# 7. Final patch plan
## Patch 1 — P0 source conflict
Resolve `ContextProductKind` 17-vs-14. Adopt ABC §9.2’s 17 unless explicit compression rationale exists. Patch SM-060 and E0 enum. Add `ContextProductDecision` / `ContextProductInstanceId` named spine.
## Patch 2 — Proof-spine hardening
Add `FinalPromptTruthRef` name/invariant/lints. Rewrite `MemoryFlowCertificate` as discriminated union. Replace boolean membership proof. Add proof retention classes.
## Patch 3 — Cross-plane invariants
Add source revocation cascade. Fix revocation monotonicity for contrary edges. Add SemanticProjectionContract. Add ECSeam explicit list.
## Patch 4 — Preservation and gate tables
Add §17A preservation matrix and §17B cross-charter gate table. Add Stage 5R2b lint preservation subsection. Add F-struct #3/#4 shared-runtime-vocabulary architect decision.
## Patch 5 — Registry mechanics
Harden ReasonCode, DomainProfile fallback, WarrantDegradationTriggerRegistry, RenderSafetyCheckRegistry, ExternalDependencyRecord. Resolve DOC8 and DOC25 ReasonCode producer statuses.
## Patch 6 — Context planning / prompt shell
Add ContextProduct registry-entry shape, MemoryContextPlan request/disposition grammar, PromptShellExposure hook, deterministic learned-weight input rule, and lightweight lint/fixture naming convention.
## Patch 7 — Operational hardening
Add trace correlation fields, health/quota/compute-budget/background-yield fields, embedding provenance convention, schema_version convention.
## Patch 8 — Appendices, drift, and closure
Add object classification expansion, ABC §21 table, T1–T20 appendix, §18 golden scenario, role-based readiness checks, source-basis blocks, OP-A / SPEC_STATE / ADDENDA_STATE closure checklist. Run source-pack drift sweep.
---
# 8. Ratification checklist
Do not close E0 red-team review until all are true:
```text
[ ] ContextProductKind conflict resolved and cited.
[ ] SM-060 patched or explicitly reconciled.
[ ] E7/E8 no longer blocked by ContextProduct uncertainty.
[ ] ContextProductDecision / ContextProductInstanceId named hook added.
[ ] FinalPromptTruthRef named with no-learning-without-final-prompt-truth invariant.
[ ] MemoryFlowCertificate discriminated union replaces optional-ref interface.
[ ] Render and learning MFC lints added.
[ ] Render/export proof requirements use target-sensitive wording.
[ ] Membership proof is edge-level, not boolean.
[ ] SourceRevocationCascadeContract and five-plane lints added.
[ ] Revocation monotonicity distinguishes supporting vs contrary edges.
[ ] SemanticProjectionContract added.
[ ] Proof retention classes added.
[ ] ReasonCode namespace mechanics added and DOC8 status resolved.
[ ] ReasonCode DOC25 producer status resolved with source citation or architect decision.
[ ] DomainProfile scalar rank removed or demoted; per-axis conservative meet rule added.
[ ] WarrantDegradationTriggerRegistry payload/lifecycle mechanics added.
[ ] Static / authority-fixed / user-locked warrant-degradation carveouts added.
[ ] RenderSafetyCheckRegistry either defined or E8 blocked.
[ ] ExternalDependencyRecord has commit SHA, hash algorithm, line pins.
[ ] MemoryCoordinationTrace has session_ref / turn_id / correlation ID.
[ ] MME and MemoryProvenanceGraph have Stage 7 handoff requirements.
[ ] ECSeam explicitly states read-model refresh and no non-EC durable writer.
[ ] Schema_version convention added.
[ ] Stage 5R2b lint names preserved.
[ ] Lifecycle non-equivalence lints added without reopening lifecycle engine.
[ ] Object classification table expanded.
[ ] E0 ADQ pinning normalized across Index / Input Deck / Opening Brief / ADQ Queue / draft.
[ ] §17A preservation matrix added.
[ ] §17B cross-charter gate table added.
[ ] F-struct #3/#4 shared-runtime-vocabulary decision row added.
[ ] Lightweight lint/fixture naming convention added without Stage 8/9 meta-schema bodies.
[ ] §18 golden scenario added.
[ ] ABC §21 placement table added.
[ ] T1–T20 appendix added.
[ ] Source-basis blocks included for all P0/high findings.
[ ] Source-pack drift sweep completed.
[ ] Stage 7/8/9 implementation bodies not over-pulled into E0.
[ ] OP-A updated and SPEC_STATE / ADDENDA_STATE updated if workflow state changed.
```
---
# 9. Final assessment
The final settled view is not “E0 is bad.” It is:
```text
E0 is architecturally promising but not yet misuse-resistant.
```
The highest-value correction is to stop thinking of E0 as a list of objects and start treating it as the **contract grammar** for the whole memory family.
An A-grade E0 should let downstream authors proceed without rediscovering Stage 5R2 work or inventing hidden semantics. After the patches above, E0 would become a strong foundation. Before them, it remains too easy for later specs to:
```text
- bind to a phantom ContextProduct enum;
- learn from non-executed prompt content;
- let proof artifacts become decorative;
- use projections as truth;
- miss source revocation fan-out;
- fail to stitch traces by user turn;
- degrade static or authority-fixed facts;
- hide runtime yield behavior behind booleans;
- let source-pack drift undermine review fidelity;
- close a review without OP-A / SPEC_STATE state continuity.
```
The path to A is clear and surgical: patch the P0 source conflict, harden the proof spine, add the preservation/gate matrices, preserve the shared-vocabulary and lint/fixture naming grammar, normalize source-pack drift, and keep E0 scoped to what it truly owns.